So I have sorted it out now. It turns out that defining "UsePAM yes" was causing the keyboard-interactive mode to occur. The odd thing was that defining "-o KbdInteractiveAuthentication=no" had no effect, although it did not produce an error either meaning it accepted the parameter provided. In the end, I was able to keep the UsePAM option and remove the keyboard-interactive prompt by explicitly defining the authentication methods with "-o PreferredAuthentications=password". Best regards, Trey Henefield, CISSP Senior IAVA Engineer Ultra Electronics Advanced Tactical Systems, Inc. 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA Trey.Henefield@xxxxxxxxxxxxx Tel: +1 512 327 6795 ext. 647 Fax: +1 512 327 8043 Mobile: +1 512 541 6450 www.ultra-ats.com -----Original Message----- From: Nico Kadel-Garcia [mailto:nkadel@xxxxxxxxx] Sent: Friday, January 16, 2015 12:22 AM To: Trey Henefield Cc: keisial@xxxxxxxxx; dkg@xxxxxxxxxxxxxxxxx; openssh-unix-dev@xxxxxxxxxxx Subject: Re: OpenSSH v6.7 & NumberOfPasswordPrompts Option ... On Thu, Jan 15, 2015 at 5:54 PM, Trey Henefield <trey.henefield@xxxxxxxxxxxxx> wrote: > Yes, I have tried that option with no difference in behavior. It seems it ignores that option when provided. Just for reference, I am building it on RedHat 5. I have never had this issue on any previous version of OpenSSH. I use the default configuration with only the changes specified in the RHEL 5 STIG applied. RHEL 5 is now 2 major releases behind and was released roughly 7 years ago. Time to update, I think, there have been a *lot* of significant security and architecture changes that can affect the toolchain used to build recent versions of OpenSSH. > I appreciate the security advice. The root account was indicated simply as an anonymous indicator. I do have PermitRootLogin=no applied. But this same issue is present regardless of the account provided. > > > Best regards, > > > Trey Henefield, CISSP > Senior IAVA Engineer > > Ultra Electronics > Advanced Tactical Systems, Inc. > 4101 Smith School Road > Building IV, Suite 100 > Austin, TX 78744 USA > > Trey.Henefield@xxxxxxxxxxxxx > Tel: +1 512 327 6795 ext. 647 > Fax: +1 512 327 8043 > Mobile: +1 512 541 6450 > > www.ultra-ats.com > > -----Original Message----- > From: Daniel Kahn Gillmor [dkg@xxxxxxxxxxxxxxxxx] > Received: Thursday, 15 Jan 2015, 4:03PM > To: Trey Henefield [trey.henefield@xxxxxxxxxxxxx]; Ángel González > [keisial@xxxxxxxxx] > CC: openssh-unix-dev@xxxxxxxxxxx [openssh-unix-dev@xxxxxxxxxxx] > Subject: RE: OpenSSH v6.7 & NumberOfPasswordPrompts Option ... > > On Thu 2015-01-15 15:47:33 -0500, Trey Henefield wrote: >> debug3: authmethod_lookup keyboard-interactive >> debug3: remaining preferred: password >> debug3: authmethod_is_enabled keyboard-interactive >> debug1: Next authentication method: keyboard-interactive >> debug2: userauth_kbdint >> debug2: we sent a keyboard-interactive packet, wait for reply >> debug2: input_userauth_info_req >> debug2: input_userauth_info_req: num_prompts 1 >> Password: >> debug1: Authentications that can continue: >> publickey,password,keyboard-interactive >> debug2: we did not send a packet, disable method >> debug3: authmethod_lookup password >> debug3: remaining preferred: >> debug3: authmethod_is_enabled password >> debug1: Next authentication method: password root@10.10.2.51's >> password: >> debug2: we sent a password packet, wait for reply >> debug1: Authentications that can continue: >> publickey,password,keyboard-interactive >> debug2: we did not send a packet, disable method >> debug1: No more authentication methods to try. >> Permission denied (publickey,password,keyboard-interactive). >> >> >> In the above output, the first prompt is "Password:". The second prompt is "root@10.10.2.51's password:" > > The first prompt is a keyboard-interactive prompt; the second prompt > is the password prompt. please try again with > -oKbdInteractiveAuthentication=no > > Regards, > > --dkg > > PS if possible, you should probably avoid using password > authentication for the root account anyway, but that's a sideline to > the issue you're seeing here. > > Disclaimer > The information contained in this communication from trey.henefield@xxxxxxxxxxxxx sent at 2015-01-15 17:54:25 is confidential and may be legally privileged. > It is intended solely for use by openssh-unix-dev@xxxxxxxxxxx and > others authorized to receive it. If you are not openssh-unix-dev@xxxxxxxxxxx you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful. > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev